pcap_tools 0.0.8 → 0.0.9
Sign up to get free protection for your applications and to get access to all the features.
- data/README.markdown +6 -0
- data/bin/pcap_tools +10 -2
- data/lib/pcap_tools/loader.rb +34 -20
- data/lib/pcap_tools/packet_processors/tcp.rb +5 -0
- data/pcap_tools.gemspec +1 -1
- metadata +2 -2
data/README.markdown
CHANGED
@@ -127,3 +127,9 @@ The request and response object have some new attributes
|
|
127
127
|
For the response object body, the following "Content-Encoding" type are honored :
|
128
128
|
|
129
129
|
* gzip
|
130
|
+
|
131
|
+
# FAQ
|
132
|
+
|
133
|
+
* `pcap_tools` found nothing in my pcap_files. Try to remove the wiresark profile, and re launch: `rm -rf $HOME/.wireshark/profiles/pcap_tools`.
|
134
|
+
|
135
|
+
|
data/bin/pcap_tools
CHANGED
@@ -15,7 +15,7 @@ OptionParser.new do |opts|
|
|
15
15
|
end
|
16
16
|
|
17
17
|
opts.on("--tshark_path", "Path to tshark executable") do |x|
|
18
|
-
OPTIONS[:
|
18
|
+
OPTIONS[:tshark] = x
|
19
19
|
end
|
20
20
|
|
21
21
|
opts.on("--one-tcp-stream [index]", Integer, "Display only one tcp stream") do |x|
|
@@ -26,6 +26,14 @@ OptionParser.new do |opts|
|
|
26
26
|
OPTIONS[:mode] = m
|
27
27
|
end
|
28
28
|
|
29
|
+
opts.on("--pdml", "Use pdml file as input instead of pcap") do |x|
|
30
|
+
OPTIONS[:pdml] = true
|
31
|
+
end
|
32
|
+
|
33
|
+
opts.on("--keep_retransmission", "Do not ignore retransmitted packets") do |x|
|
34
|
+
OPTIONS[:keep_retransmission] = true
|
35
|
+
end
|
36
|
+
|
29
37
|
end.parse!
|
30
38
|
|
31
39
|
def format_time t
|
@@ -135,7 +143,7 @@ else
|
|
135
143
|
end
|
136
144
|
|
137
145
|
ARGV.each do |f|
|
138
|
-
PcapTools::Loader::load_file(f,
|
146
|
+
PcapTools::Loader::load_file(f, OPTIONS) do |index, packet|
|
139
147
|
processor.inject index, packet
|
140
148
|
end
|
141
149
|
end
|
data/lib/pcap_tools/loader.rb
CHANGED
@@ -8,13 +8,14 @@ module PcapTools
|
|
8
8
|
|
9
9
|
class MyParser < ::Ox::Sax
|
10
10
|
|
11
|
-
def initialize block
|
11
|
+
def initialize opts, block
|
12
12
|
@current_packet_index = 0
|
13
13
|
@current_packet = nil
|
14
14
|
@current_processing = nil
|
15
15
|
@current_proto_name = nil
|
16
16
|
@current_field_name = nil
|
17
17
|
@block = block
|
18
|
+
@opts = opts
|
18
19
|
end
|
19
20
|
|
20
21
|
def attr name, value
|
@@ -47,6 +48,10 @@ module PcapTools
|
|
47
48
|
@current_packet[:tcp_flags][:ack] = value == "1"
|
48
49
|
elsif @current_proto_name == "tcp" && @current_field_name == "tcp.flags.syn"
|
49
50
|
@current_packet[:tcp_flags][:syn] = value == "1"
|
51
|
+
elsif @current_proto_name == "tcp" && @current_field_name == "tcp.analysis.retransmission"
|
52
|
+
@current_packet[:tcp_retransmission] = true
|
53
|
+
elsif @current_proto_name == "tcp" && @current_field_name == "tcp.analysis.lost_segment"
|
54
|
+
@current_packet[:tcp_lost_segment] = true
|
50
55
|
end
|
51
56
|
elsif name == :value
|
52
57
|
if @current_proto_name == "fake-field-wrapper" && @current_field_name == "data"
|
@@ -83,6 +88,9 @@ module PcapTools
|
|
83
88
|
$stderr.puts "Malformed packet #{@current_packet_index}"
|
84
89
|
return
|
85
90
|
end
|
91
|
+
if @current_packet[:tcp_retransmission] && !@opts[:keep_retransmission]
|
92
|
+
return
|
93
|
+
end
|
86
94
|
raise "No data found in packet #{@current_packet_index}, protocols found #{@current_packet[:protos]}" if @current_packet[:data].nil? && @current_packet[:size] > 0
|
87
95
|
@current_packet.delete :protos
|
88
96
|
@block.call @current_packet_index, @current_packet
|
@@ -93,27 +101,33 @@ module PcapTools
|
|
93
101
|
end
|
94
102
|
|
95
103
|
def self.load_file f, options = {}, &block
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
FileUtils.mkdir_p profile_dir
|
108
|
-
File.open("#{profile_dir}/disabled_protos", "w") { |io| io.write(list.join("\n") + "\n") }
|
104
|
+
if options[:pdml]
|
105
|
+
f = File.open(f, 'rb')
|
106
|
+
Ox.sax_parse(MyParser.new(options, block), f)
|
107
|
+
f.close
|
108
|
+
else
|
109
|
+
tshark_executable = options[:tshark] || "tshark"
|
110
|
+
accepted_protocols = ["geninfo", "tcp", "ip", "eth", "sll", "frame", "null", "ethertype"]
|
111
|
+
accepted_protocols += options[:accepted_protocols] if options[:accepted_protocols]
|
112
|
+
profile_name = "pcap_tools"
|
113
|
+
profile_dir = "#{ENV['HOME']}/.wireshark/profiles/#{profile_name}"
|
114
|
+
status = POpen4::popen4("#{tshark_executable} -v") do |stdout, stderr, stdin, pid|
|
109
115
|
end
|
110
|
-
raise "#{tshark_executable}
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
116
|
+
raise "#{tshark_executable} not found" unless status
|
117
|
+
unless File.exist? "#{profile_dir}/disabled_protos"
|
118
|
+
status = POpen4::popen4("#{tshark_executable} -G protocols") do |stdout, stderr, stdin, pid|
|
119
|
+
list = stdout.read.split("\n").map { |x| x.split(" ").last }.reject { |x| accepted_protocols.include? x }
|
120
|
+
FileUtils.mkdir_p profile_dir
|
121
|
+
File.open("#{profile_dir}/disabled_protos", "w") { |io| io.write(list.join("\n") + "\n") }
|
122
|
+
end
|
123
|
+
raise "#{tshark_executable} execution error when listing protocols" unless status.exitstatus == 0
|
124
|
+
end
|
125
|
+
status = POpen4::popen4("#{tshark_executable} -n -C #{profile_name} -T pdml -r #{f}") do |stdout, stderr, stdin, pid|
|
126
|
+
Ox.sax_parse(MyParser.new(options, block), stdout)
|
127
|
+
$stderr.puts stderr.read
|
128
|
+
end
|
129
|
+
raise "#{tshark_executable} execution error with file #{f}" unless status.exitstatus == 0
|
115
130
|
end
|
116
|
-
raise "#{tshark_executable} execution error with file #{f}" unless status.exitstatus == 0
|
117
131
|
end
|
118
132
|
|
119
133
|
end
|
@@ -20,6 +20,7 @@ module PcapTools
|
|
20
20
|
@streams[stream_index] = {
|
21
21
|
:first => packet,
|
22
22
|
:data => [],
|
23
|
+
:tcp_lost_segment => false,
|
23
24
|
}
|
24
25
|
elsif packet[:tcp_flags][:fin] || packet[:tcp_flags][:rst]
|
25
26
|
if @streams[stream_index]
|
@@ -35,6 +36,10 @@ module PcapTools
|
|
35
36
|
packet[:type] = (packet[:from] == @streams[stream_index][:first][:from] && packet[:from_port] == @streams[stream_index][:first][:from_port]) ? :out : :in
|
36
37
|
packet.delete :tcp_flags
|
37
38
|
@streams[stream_index][:data] << packet if packet[:size] > 0
|
39
|
+
if packet[:tcp_lost_segment]
|
40
|
+
@streams.delete stream_index
|
41
|
+
$stderr.puts "Ignoring tcp stream #{stream_index}, tcp segments are missing"
|
42
|
+
end
|
38
43
|
end
|
39
44
|
end
|
40
45
|
end
|
data/pcap_tools.gemspec
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: pcap_tools
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.9
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2014-11-
|
12
|
+
date: 2014-11-15 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: popen4
|